diff --git a/src/tls.c b/src/tls.c
index 9f0e2796a1..b8ee47711f 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -937,6 +937,9 @@ static int Hmac_UpdateFinal_CT(Hmac* hmac, byte* digest, const byte* in,
     word32       realLen;
     byte         extraBlock;
 
+    if (macLen <= 0 || macLen > (int)sizeof(hmac->innerHash))
+        return BAD_FUNC_ARG;
+
     switch (hmac->macType) {
     #ifndef NO_SHA
         case WC_SHA: